Fisher Investments Arabia
Employee and Contractor Privacy & Cookie Policy

Last Updated: October 2023

1. General

This Employee and Contractor Privacy & Cookie Policy (“Policy”) is in accordance with the with with the Personal Data Protection Law issued by Royal Decree No. M/19 dated 09/02/1443H (corresponding to 16 September 2021G) and amended by Royal Decree No. M/148 dated 05/09/1444H (corresponding to 27 March 2023G) (“PDPL”) and any regulations issued thereunder (together with the PDPL, “Privacy Laws”), and sets out how Fisher Investments Arabia and its affiliates (collectively, the “Company”) use Personal Data relating to the following natural people (“Individuals”):

• prospective, current, and former employees, whether permanent or temporary (“Employees”);
• prospective, current, and former contractors (“Contractors”).

In this Policy, “Personal Data” means any information through which an Individual may be directly or indirectly identified. The Company is committed to privacy and will use Individuals’ Personal Data only in accordance with this Policy.

The Company can be contacted about this Policy using the following details:

Fisher Investments Arabia
Attn: Personal Data Protection
Suite 1808-09, Building No. 7277
Level 18 Al Faisaliah Tower
King Fahad Highway
Olaya District,P.O. Box 54995
Riyadh 11524, Kingdom of Saudi Arabia
privacy@fisherinvestments.sa
+966 11 299 0580

2. Types of Personal Data

The Company collects and processes the following types of Personal Data for Individuals:

• records of work history (including internal and external work history and references), education and qualifications (including information provided on an application or CV);
• contact details (e.g. name, address, email address, telephone number);
• contact information of spouse / partner / dependent(s) and emergency contact details;
• date and place of birth and nationality;
• Saudi National Identification numbers;
• marital status;
• background check information, which may reveal data concerning criminal convictions or offences;
• bank details and account numbers;
• compensation, fees, bonus or incentive information, tax rates and withholding information (including invoices, amounts paid or withheld, the frequency and currency of payments);
• expense reimbursements (including receipts and amounts paid);
• Employee benefits information (e.g. health insurance, pension contributions) (including amounts paid, the frequency and currency of payments);
• records of performance (including evaluations of competence, ongoing supervision and monitoring under financial services regulations, monitoring activity data as recorded on computer and telecommunication systems, economic viability and ratings, complaints, grievances, and disciplinary records);
• information relating to Employee absences from work;
• information relating to Employees’ mental and physical health and mental or physical disabilities (collectively, “Health Data”);
• general organizational data (such as department, work location, job title and seniority);
• information technology data (e.g., passwords, access rights and usage data);
• recordings of telephone calls made by certain representatives of the Company with clients or prospective clients of the Company;
• photographic and video images; and
• other data that the Individual provides to the Fisher group of companies (the “Fisher Group”).

Personal Data are collected mainly from Individuals themselves. In addition, the Company collects reference check information from the Individuals’ previous employers or contracting companies. Background check information, which may reveal data concerning criminal convictions or offences, is collected from professional background checking firms that collects Personal Data from both public and private sources with consent of the Individual.

3. Use of Personal Data

a. Purposes and Lawful Bases

The Company processes Individuals’ Personal Data for the following purposes, and upon the legal bases set out in the table below:

Individuals’ Personal Data will not be subsequently processed in a manner inconsistent with the above purposes or in cases other than those stated in Article (10) of the PDPL, including without limitation, with consent, where the Personal Data is publicly available or was collected from a publicly available source, as required for public interest or security purposes or to implement another law or fulfill judicial requirements, to protect the health or safety of the public or specific individuals, or to achieve the legitimate interests of the Company.
Where the Company relies upon its ‘legitimate interest’ as a legal basis for a particular purpose, the Company does so without prejudice to the rights and interests of the Individuals, and provided that no Sensitive Data is to be processed.

b. If Employees/Tied Agents fail to provide Personal Data

Where the Company collects Personal Data to comply with a legal obligation or to administer its relationship with the Individual, including all related purposes described above, and the Individual does not provide such data, it could make it impossible for the Company to fulfil some or all of its obligations towards the Individual (such as payment of compensation or calculation of withholdings) and the Company may not be able to employ or engage the Individual and may need to terminate the applicable agreement. The Company will notify the Individual if this is the case at the time. If an Individual wishes to be considered as a candidate for employment or engagement but does not consent to background checks, the Company will not be able to consider the candidacy further.

4. Sharing of Personal Data

a. Who will the Company share Personal Data with?

The Company will not sell or lease Individuals’ Personal Data to third parties.

For the purposes listed in Section 3 above, the Company may share Personal Data with:

• One or more Fisher Group companies providing services to the Company, including without limitation:
  • The Company’s parent company in the United States (“US”), Fisher Asset Management, LLC;
  • The Company’s sister company in the United Kingdom (“UK”), Fisher Investments Europe Limited;
  • The Company’s sister companies in the European Union (“EU”), including Fisher Investments Ireland Limited and Fisher Investments Luxembourg, Sàrl.
• Authorized vendors, service providers, contractors and representatives, as follows:
  • Other Contractors of the Fisher Group who have access to Company systems, including email, and receive emails that may include Personal Data of Individuals.
  • Information technology and security providers, including cloud software, communications, systems and software related to the Company’s activities, internet and internet firewall and malware detection providers.
  • Providers of the Company’s employee benefit programs.
  • Service providers that carry out background checks at the request of the Company.
  • Service providers that assist Employees with work authorization or visas and/or relocation.
  • Vendors providing training or firm events, which may receive names and/or Company email addresses of Individuals.
  • Photographers and videographers capturing images of Individuals.
  • Providers of third party professional advice, such as lawyers and auditors.

Such service providers will generally be located in the Kingdom of Saudi Arabia (“KSA”), US, Canada, EU or UK (“Approved Countries”), and to the extent they are providing a regulated service, subject to applicable local financial services laws.

• Future employers requesting reference checks and third parties (including banks, mortgage lenders and landlords) requesting employment or earnings confirmation letters.
• Courts and tribunals, as described above in Section 3.
• Regulators (including the relevant financial regulators), tax authorities, other government agencies and law enforcement organisations, as described above in Section 3.

b. What safeguards are in place where Personal Data is transferred outside of the KSA?

Where the Company transfers Personal Data to a data recipient in a jurisdiction outside of the KSA where the laws do not provide an equivalent level of data protection as the KSA, the Personal Data will be transferred in accordance with Standard Contractual Clauses that provide a sufficient level of protection for Personal Data or to the extent necessary for the performance of an agreement to which the Individual is party or necessary for the public interest or in connection with the investigation, detection or prosecution of crimes, together with a risk assessment of such transfer.

5. Consent

Individuals who consent to the Company using their Personal Data may withdraw that consent at any time. Individuals may do so using the details set out in Section 1 above.

When doing so, Individuals should:

• ensure that a full name and address and/or email address is provided in exactly the form in which it was originally provided to the Company to avoid any possible confusion with a different Individual; and
• ensure that the particular uses for which consent is being withdrawn are specified. The uses for which the Company relies on consent are set out in Section 3 above.

6. Individuals’ Rights

Under the Privacy Laws, in addition to the right to be informed of the matters set out in this Policy, Individuals have the following rights in relation to their Personal Data that the Company holds:

• To access their Personal Data held by the Company;
• To request obtaining their Personal Data held by the Company in a readable and clear format;
• To request correcting, completing or updating their Personal Data held by Company;
• To request the erasure of their Personal Data held by the Company when such Personal Data is no longer needed by the Company.

To exercise these rights, Individuals should contact the Company using the details set out in Section 1 above. In such case, Individuals should ensure that the full name and address and/or email address are provided in exactly the form in which they were originally provided to the Company to avoid any possible confusion with a different Individual.

7. Security

The Company is committed to ensuring that Personal Data is secure. In order to prevent unauthorized access or disclosure, the Company has put in place appropriate physical, electronic and managerial procedures to safeguard and secure Personal Data collected. The Company also uses encryption when collecting or transferring sensitive data. The Company stores Personal Data locally, in the Kingdom, in the cloud and servers located in the Approved Countries.

8. How Long Data Will Be Kept

The Company retains Personal Data until the lapse of the specific period for which there was a legal basis for retaining such Personal Data or until the purpose of the collection of the Personal Data is satisfied, whichever is later. As detailed in Section 3 above, legal basis may include implementing an agreement, complying with Applicable Law, in connection with judicial procedures, and for the Company’s legitimate interests. Following the end of the retention period, Personal Data will be destroyed in accordance with the Company’s record retention schedule.

9. Cookies

A cookie is a small text file with an identification tag that is created and downloaded to a user’s computer (or other device) when accessing websites that use cookies. Cookies allow a website to, among other things, store and retrieve information about a user’s online activity and browsing habits. Depending on the information they contain and user behaviour, cookies may be used to identify the user.

Cookies can be categorized by who places them:

• First-party cookies: These cookies are downloaded to a user’s computer (or other device) by the publisher of the website whose service the user is requesting.
• Third-party cookies: These cookies are downloaded to a user’s computer (or other device) by another entity that may be seeking data obtained through cookies.

Cookies can also be categorized by their duration:

• Session cookies: These cookies are designed to collect and store data while the user accesses a website. They are often used to store information for the duration of a visit to the website (e.g., what account user is logged into). Once a user leaves the website, the session cookie is deleted.
• Persistent cookies: These cookies store data on the user’s computer (or other device) for the duration period set within the cookie’s file, which is determined by the entity controlling the cookie and can range from a few minutes to several years, or until the user manually deletes them.

Lastly, cookies can be categorized by the function they serve. The Company uses the following types of first- and third-party cookies:

• Required: Required cookies are necessary to enable the basic features of this site to function. They keep track of whether or not a user has consented to have other types of cookies placed on their computer (or other device). Required cookies do not collect Personal Data. Required cookies may also include authentication cookies.
• Statistical: Statistical cookies analyze pseudonymized site statistics. They enable measuring the number of visitors and analysing how users interact with the website. This information is used to improve the website and the products or services offered.
• Marketing: Marketing cookies are used to understand user interests, provide relevant ads, and make a user’s online experience more enjoyable. They can be used to build a user profile to provide users with content more relevant to their interests. They adapt advertising and the content users see on other websites based on their website browsing habits, as well as how users interact with internet advertising.
• Preferences: Preferences cookies allow the website to personalize website content, such as the language selected for viewing the page. These also save a user’s cookie preference settings.

The Company uses first- and third-party required, statistical, marketing and marketing and preferences cookies. The following vendors load cookies on this website:

• Sitecore

For further information on cookies and to manage them, please click here.

Some browsers have a “Do Not Track” setting that allows users to send a signal to the websites they visit that the user does not wish to be tracked. The Company’s website does not respond to these signals.

The websites used by the Company for job postings and submitting applications have their own privacy and cookie policies, which are listed below:

• Talemetry: Information about how Talemetry processes Personal Data and uses cookies is available at https://www.talemetry.com/privacy-policy.
• iCIMS: Information about how iCIMS processes Personal Data and uses cookies is available at https://www.icims.com/legal/privacy-notice-website/.

10. Social Media

The Company maintains a presence on various social media platforms. The terms and conditions set by the operators of the various platforms apply to the Company and any Individuals who interact with the Company through the platforms. More information about each of the various platforms is available below.

• Facebook: The Company is subject to an agreement with Facebook Ireland Limited, which determines their respective responsibilities with respect to Personal Data. Facebook Ireland Limited is responsible for enabling Individuals’ rights with respect to Personal Data it stores. Information about how Facebook processes Personal Data is available at https://www.facebook.com/about/privacy. The terms applicable to the various Facebook products set out the purposes for which Personal Data is collected and transmitted.
• LinkedIn: Information about how LinkedIn processes Personal Data is available at https://www.linkedin.com/legal/privacy-policy.
• Instagram: Information about how Instagram processes Personal Data is available at https://www.instagram.com/legal/privacy.
• YouTube: Information about how YouTube processes Personal Data is available at https://policies.google.com/privacy.

11. Changes to Privacy & Cookie Policy

From time to time, the Company may use Personal Data for new, unanticipated uses not previously disclosed in this Policy to the extent permitted by law. If its practices regarding Personal Data change at some time in the future, the Company will post the policy changes to https://www.fisherinvestments.com/ar-sa/privacy.